Re: [pfSense] LAN routing through multi-hopping IPSec setup

2017-05-03 Thread Eleuterio Contracampo 
Thank you Jon. It works!

-EC

On Wed, May 3, 2017 at 6:48 AM, Jon Gerdes  wrote:

> EC
>
> Add an additional Phase 2 entry on each set of tunnels:
>
> pf2 -> pf1 = tunnel A
> pf2 -> pf3 = tunnel B
>
> Add a Phase 2 on tunnel A for local 192.168.40/24 to remote
> 192.168.44/24
>
> Add a Phase 2 on tunnel B for local 192.168.44/24 to remote
> 192.168.40/24
>
> Add firewall rules to taste.
>
> Cheers
> Jon
>
>
> On Tue, 2017-05-02 at 17:45 -0400, Eleuterio Contracampo wrote:
> > Hello everyone,
> >
> > I have the following setup:
> >
> > PFsense1 (LAN1: 192.168.40.0/24)
> > PFsense2 (LAN2: 192.168.41.0/24)
> > PFSense3 (LAN3: 192.168.44.0/24)
> >
> > I've got two MPLS lines connecting PFSense2<->PFSense1<->PFSense3
> > (PFSense1
> > is the center of the star topology). I use IPSec tunnels on top of
> > MPLS
> > links.
> >
> > I'm able to get from LAN1 to LAN2 and from LAN1 to LAN3 via IPSec
> > tunnels.
> >
> > I need to make LAN2 and LAN3 visible to each other. Is it possible to
> > do it
> > via IPSec links?
> >
> > I've tried adding an additional Phase 2 entry at PFSense1 posing as
> > if LAN3
> > were local, and adding the corresponding Phase 2 entry at PFSense2 to
> > tell
> > LAN2 to route packets destined to LAN3 via that newly added Phase 2
> > sub-tunnel against PFSense1. Packets do arrive to PFSense1 but don't
> > progress any further despite having static routes indicating howto
> > get to
> > LAN3. I hope I'm clear about the problem.
> >
> > If it were not possible to do it via IPSec routing, is there any
> > other
> > solution different than NAT+static routes?
> >
> > Thanks in advance!
> > -EC
> > ___
> > pfSense mailing list
> > https://lists.pfsense.org/mailman/listinfo/list
> > Support the project with Gold! https://pfsense.org/gold
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] LAN routing through multi-hopping IPSec setup

2017-05-03 Thread Jon Gerdes 
EC

Add an additional Phase 2 entry on each set of tunnels:

pf2 -> pf1 = tunnel A
pf2 -> pf3 = tunnel B

Add a Phase 2 on tunnel A for local 192.168.40/24 to remote
192.168.44/24

Add a Phase 2 on tunnel B for local 192.168.44/24 to remote
192.168.40/24

Add firewall rules to taste.

Cheers
Jon


On Tue, 2017-05-02 at 17:45 -0400, Eleuterio Contracampo wrote:
> Hello everyone,
> 
> I have the following setup:
> 
> PFsense1 (LAN1: 192.168.40.0/24)
> PFsense2 (LAN2: 192.168.41.0/24)
> PFSense3 (LAN3: 192.168.44.0/24)
> 
> I've got two MPLS lines connecting PFSense2<->PFSense1<->PFSense3
> (PFSense1
> is the center of the star topology). I use IPSec tunnels on top of
> MPLS
> links.
> 
> I'm able to get from LAN1 to LAN2 and from LAN1 to LAN3 via IPSec
> tunnels.
> 
> I need to make LAN2 and LAN3 visible to each other. Is it possible to
> do it
> via IPSec links?
> 
> I've tried adding an additional Phase 2 entry at PFSense1 posing as
> if LAN3
> were local, and adding the corresponding Phase 2 entry at PFSense2 to
> tell
> LAN2 to route packets destined to LAN3 via that newly added Phase 2
> sub-tunnel against PFSense1. Packets do arrive to PFSense1 but don't
> progress any further despite having static routes indicating howto
> get to
> LAN3. I hope I'm clear about the problem.
> 
> If it were not possible to do it via IPSec routing, is there any
> other
> solution different than NAT+static routes?
> 
> Thanks in advance!
> -EC
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold